The Canadian Privacy Law Blog: Developments in privacy law and writings of a Canadian privacy lawyer, containing information related to the Personal Information Protection and Electronic Documents Act (aka PIPEDA) and other Canadian and international laws.

Monday, June 24, 2013

Canadian federal government needs to get its own privacy house in order

No big surprise, but the Federal Privacy Commissioner, Jennifer Stoddart, has found that the federal government is seriously lacking as far as dealing with data breaches are concerned. Incomplete data produced by the government shows more than 3,000 breaches over ten years, affecting three quarters of a million Canadians. (And I'm sure this is just the tip of the iceberg.)

OTTAWA - Canada's privacy czar has singled out several federal departments for their lacklustre approach to data breaches, citing a need for better reporting, security and tracking protocols.

Privacy commissioner Jennifer Stoddart's office has compiled a preliminary list of agencies with potentially worrisome patterns when it comes to the loss of Canadians' personal information.

The analysis is based on departmental figures tabled in Parliament in April in response to a question from New Democrat MP Charlie Angus. The response indicated there were more than 3,000 data breaches over a 10-year period affecting about 725,000 Canadians.

Stoddart's staff cautions that the figures paint a statistical picture but do not shed full light on the kind of data involved in the breaches.

Still, the office says two departments — Fisheries and Oceans and Public Safety — "may lack adequate reporting mechanisms" for alerting the privacy commissioner of a data loss.

Fisheries reported three breaches affecting 73 people between 2002 and 2012. However, for the same period there were actually 12 lapses affecting 4,690 individuals.

None of the 28 breaches that occurred at Public Safety after 2009 was reported, says the privacy commissioner.

"A cursory comparison between institutions indicates that they do not seem to have a consistent method for reporting breaches," say notes prepared by Stoddart's office. "Some systematically report breaches, others almost never."

Institutions that "may have systematic issues in safeguard and security protocols" are Citizenship and Immigration, Passport Canada, the Correctional Service, the RCMP, the Parole Board and Veterans Affairs.

Citizenship and Immigration had 161 breaches in 2012 alone, while the passport office had 131 incidents in 2011-12, said the commissioner.

Finally, the Canada Revenue Agency was not able to present any data, suggesting a "deficiency in tracking and auditing."

The difficulty with federal data breaches is not new, Stoddart said in an interview.
"We know it's a systemic problem. We've seen it for years," she said. "So I think a positive action on the part of the government to strengthen education about it, prevention, followup and so on, would be the way to go."

The commissioner's office points out that while the federal Treasury Board has published guidelines for privacy breaches, they simply recommend — not require — that institutions notify the commissioner of certain kinds of breaches.

They include ones that involve sensitive personal data such as financial or medical information, can result in identity theft, or might otherwise harm or embarrass a person, damaging their career, reputation or well-being.

"Conversely, this means that there are a number of breaches that are not deemed to be serious enough to warrant notification to our office," say the notes. "We can presume that this may partially explain the vast number of unreported breaches."

During a recent meeting, Stoddart urged Treasury Board President Tony Clement to amend the privacy law to make reporting of federal data losses mandatory.

"It was a very positive meeting," Stoddart said. "Minister Clement seemed very concerned about the question of data and very interested in ways of strengthening data breach awareness, I'd say, and proactive work to minimize data breaches."

However, she said Clement "made no commitments" about enshrining mandatory reporting.
Andrea Mandel-Campbell, a spokeswoman for Clement, said Monday that the minister is taking Stoddart's comments "under consideration."

Angus says a "complete overhaul" of reporting procedures is needed. "Every breach must be reported to the privacy commissioner," he said Monday.

Government must also ensure Stoddart's office has the resources to investigate lapses and powers to effectively police both federal agencies and private companies that lose data, he said.

"She has to have the tools that she needs to protect privacy."

After Human Resources and Skills Development lost the personal information of more than half a million people who took out student loans, Angus's NDP colleague, digital issues critic Charmaine Borg, tabled a motion in February requesting a House of Commons committee study mandatory breach notification. It was defeated.

Please note that I am only able to provide legal advice to clients of my firm. If you have a privacy matter, please contact me about becoming a client. I am not able to provide free legal advice. Any unsolicited information sent to David Fraser may not be protected by solicitor-client privilege.

The views expressed herein are solely the author's and should not be attributed to his employer or clients. Any postings on legal issues are provided as a public service, and do not constitute solicitation or provision of legal advice. The author makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained herein or linked to. Due to professional ethics, the author may not be able to comment on matters in which a client has an interest. Nothing herein should be used as a substitute for the advice of competent counsel.

This web site is presented for informational purposes only. These materials do not constitute legal advice and do not create a solicitor-client relationship between you and David T.S. Fraser. If you are seeking specific advice related to Canadian privacy law or PIPEDA, contact the author, David T.S. Fraser.